Open in app

Sign in

Write

Sign in

IBM Cloud Satellite and Regulated Workloads

Greg Hintermeister
AI+ Enterprise Engineering
Published in
7 min readAug 30, 2022

Running regulated workloads is a complex endeavor. Not only do you need to worry about the “normal” things any mission critical application requires (availability, security, performance, disaster recovery, and many more), you also need to worry about compliance…not just for the application but for the data it uses. In many cases, the data is under strict regulations that make it quite difficult to run your regulated workloads in a public cloud.

As I talk with many clients in regulated industries, their challenges running regulated workloads could be resolved if they could accomplish three goals:

Clients want to:

  • Build, deliver, and manage applications across a hybrid multicloud environment
  • Bring the best of cloud wherever the applications need to run, yet maintain a simple “as a service” experience
  • View common compliance across the entire platform

In other words, clients need to build, deliver, and manage applications anywhere the data resides. Most of the time that means in various hybrid cloud locations where the regulatory requirements for the data (and application’s usage of that data) needs to be in compliance.

Now, if they could have that ability to run applications anywhere, clients then want that hybrid platform to run “as-a-service”. Clients don’t want to spend their precious talent performing operations and maintenance across this hybrid platform; clients want to use their talent innovating to grow their business and delight their customers.

Finally, if they could have a hybrid environment that runs as-a-service to run the applications, clients need to prove that the environment is compliant across the entire landscape. To achieve that they really want a common compliance capability.

What Cloud Satellite Delivers

That is exactly what we are providing with IBM Cloud Satellite. In the figure below you can see how Cloud Satellite can help clients achieve these goals.

Clients can stand up an IBM Cloud Satellite location utilizing existing infrastructure (think of this location as a “mini cloud region”). Once created, a secure link is established between locations and IBM Cloud so that users can deploy cloud services into these locations. The great thing about this is that cloud services like OpenShift, databases, Kafka, and objects storage, are delivered into these remote locations and still managed as-a-service. IBM SREs are responsible for the service which frees up time and talent so client teams can focus on innovation. As the graphic above shows, clients can customize these locations, the infrastructure attached to these locations, and the services deployed within these locations, whether the location is on another cloud platform or whether it is on-premises right next to the sensitive data.

Once this environment is established, client development teams can then use IBM toolchains or use their custom DevOps pipelines to deliver their applications from a common location into multiple targets.

Finally, once all that is set up and the applications are delivering, clients can set up common compliance by adding Security and Compliance Center. Security and Compliance Center can not only scan IBM Cloud regions, but also Cloud Satellite environments with OpenShift across Satellite locations, whether in OnPrem environments, or public cloud environments like Azure and AWS. Security and Compliance Center even runs in our latest Z16. As a result, clients start getting a complete compliance view across this entire hybrid Cloud environment.

In Action

Let’s take a quick look. For the full experience, take a look at this video with the full demonstration:

Here a number of locations and each of those has a variety of OpenShift environments (along with data services…all managed by IBM Cloud but running in remote locations).

From here I can monitor the state of each location, and if I click into a location, I can view individual host status, as well as view secure link endpoint status. In addition, because many of our clients need to understand what exactly is being transferred through the secure link (we call it Satellite Link), in the endpoint link page admins can control access of who can access these link endpoints, and even turn them off.

Let’s focus now on deploying workloads across multiple locations. To do that click into Satellite Configurations. These are application deployment files that I have set up. Each one can have multiple versions.

When a developer selects to deploy an application, they can do so from their pipeline, but or for an easy visual, I’m going to select the “asset-manager-app” and deploy “v2”.

I have selected a cluster group to simplify which clusters this application should deploy into. When I click “Create Subscription”, IBM Cloud satellite will create a subscription deploying this application into each cluster in the group I’ve selected.

As you see in the video, “v2” of asset manager is nearly instantly deployed across multiple satellite locations. What that means is I can have applications centrally deployed in a consistent manner. Further, as the video shows, I can edit the subscription and change it to “v3” of the application. Again, nearly instantly the application is deployed across the cluster group allowing the entire DevOps process to be automated from a central location without requiring local operations teams.

Compliance

While developers, operations teams, and lines of business are delighted with the goals that Cloud Satellite helps achieve, the compliance officer and CISO are even more focused on achieving their compliance goals.

This is where Security and Compliance Center comes in.

Security and Compliance Center is composed of Goals, Controls, Profiles, Scopes, and Scans. Here’s how it works:

  • Goals: What is being measured for compliance
  • Controls: A collection of goals that maps to a compliance control
  • Profiles: A collection of Controls that are selected to scan for compliance to
  • Scopes: The resources to be scanned
  • Scans: The results of a selected profile applied to a selected scope. The result is a list of evidence and reports showing what is in compliance, what is not, and what actions should be taken to fix.

The image above shows the overall compliance posture for all resources I am scanning. It aggregates all the scans I’ve performed. In this case, the compliance score aggregates a collection of resources across IBM Cloud and Azure.

For regulated workloads running in a Cloud Satellite environment, there are a few elements to pay attention to. The first one is an overall IBM Cloud posture since those controls will cover account, access controls, etc.

As you can see in the image above, you can see what controls passed compliance and what controls failed compliance.

Further, if you click into the details to see which goals were monitored for a control, the image above shows the goals that passed or failed for control “AC-4: Information Flow Enforcement”. This kind of detail is available for many resources across IBM Cloud.

But what about OpenShift cluster delivered through IBM Cloud Satellite? Compliance scanning is accomplished by using the OpenShift Compliance Operator.

In this figure you can see controls being scanned for any worker node in a Satellite environment. This gives you additional levels of compliance evidence regardless of where this OpenShift cluster is running.

Finally, for Satellite environments running in Azure infrastructure, Security and Compliance Center can scan Azure accounts and show a level of compliance that brings the full story of end-to-end compliance together in one place.

As a result, I can monitor not only what IBM cloud is doing in this satellite environment but more broadly across azure infrastructure.

Summary

As you can see, using the combination of IBM Cloud Satellite and Security and Compliance Center can help clients achieve their three main goals in running regulated workloads:

  • Build, deliver, and manage applications across a hybrid multicloud environment
  • Bring the best of cloud wherever the applications need to run, yet maintain a simple “as a service” experience
  • View common compliance across the entire platform

This can be accomplished through running a Cloud Satellite location in environments where the applications need to run (next to the data), coupled with the ability to deliver applications across all of these locations from a central means, combined with the ability to monitor security and compliance across IBM Cloud, Satellite locations, and other public clouds like Azure, and view the results from a single view.

Thank you so much for your time and attention. Add your comments below to to further the discussion.

Cloud Technology
Security
Compliance
Hybrid Cloud
Distributed Cloud

--

--

Greg Hintermeister
AI+ Enterprise Engineering

Written by Greg Hintermeister

74 Followers
Editor for

Greg is an inventor, musician, believer, husband, father, parrothead. His expertise can be found helping clients, his heart can be found wherever his wife is.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams